Kinsing Actors Exploit Recent Linux Vulnerability to Infiltrate Cloud Environments

Threat actors associated with Kinsing have been spotted making attempts to exploit the recently disclosed Linux privilege escalation vulnerability known as Looney Tunables in what has been described as a “new experimental campaign” aimed at compromising cloud environments.

Notably, the attackers have extended their tactics by extracting credentials from the Cloud Service Provider (CSP), as revealed in a report by cloud security firm Aqua. This marks the first documented case of active exploitation of Looney Tunables (CVE-2023-4911), a vulnerability that could potentially grant a threat actor root privileges.

Kinsing actors have gained a reputation for swiftly adapting their attack strategies to take advantage of newly disclosed security vulnerabilities. They have recently weaponized a high-severity flaw in Openfire (CVE-2023-32315) to achieve remote code execution.

The latest series of attacks involve exploiting a critical remote code execution weakness in PHPUnit (CVE-2017-9841). This tactic has been a known approach employed by the cryptojacking group since at least 2021, allowing them to gain initial access.

Following this initial access, the threat actors manually scan the victim’s environment for the presence of Looney Tunables. They do so by using a Python-based exploit published by a researcher known as bl4sty on X (formerly Twitter).

Subsequently, Kinsing fetches and executes an additional PHP exploit. Initially, this exploit is obscured, but upon de-obfuscation, it reveals itself as a JavaScript script designed for further malicious activities.

The JavaScript code acts as a web shell, providing backdoor access to the compromised server. This access allows the adversary to perform various actions, including file management, command execution, and the gathering of additional information about the targeted system.

The ultimate objective of these attacks appears to be the extraction of credentials associated with the cloud service provider. This represents a significant departure from the threat actor’s previous pattern, where they typically deployed the Kinsing malware and engaged in cryptocurrency mining.

Security researcher noted, “This recent development suggests a potential broadening of their operational scope, signaling that the Kinsing operation may diversify and intensify in the near future, thereby posing an increased threat to cloud-native environments.”

This evolving threat landscape emphasizes the importance of proactive security measures in safeguarding cloud environments against sophisticated and adaptive adversaries like Kinsing.

To prevent incidents like this by threat actors, organizations should regularly patch and update their systems and software. Employing robust security practices, including intrusion detection and monitoring of cloud environments, can help detect and mitigate such attacks. Additionally, educating employees about cybersecurity best practices and the importance of safeguarding credentials is crucial. To fortify your organization’s cloud security and protect against evolving threats, consider Protergo’s advanced cybersecurity solutions.